Security Incidents mailing list archives
Re: Upload of "pipes.scr" attempted to NetBus "honeypot"
From: "Sverre H. Huseby" <shh () THATHOST COM>
Date: Thu, 25 Jan 2001 19:32:33 +0100
[Dennis McHenry] | If it's a trojan, the author likes the long shots. First to find | a system that's vulnerable to whatever exploit they're using, then | to get it onto a system where Pipes is the active screensaver. I | don't know how it'd drop into the correct directory, either. It | didn't seem like they were trying to get it into the Windows | directory (where it's installed by default). Some virus, maybe? The attacker wouldn't need to put it in the right directory, or wait for the user to execute it. There's a NetBus command for executing programs (don't know if .scr files would be covered by that command). Unfortunately, since I don't know how to correctly reply to the UploadFileCommand, the connection is closed before we're able to see the next step of the attacker. I would guess an attempt to execute the file would be a natural next step, but then again, I'm guessing heavily here. Sverre. -- <URL:mailto:shh () thathost com> <URL:http://shh.thathost.com/>
Current thread:
- Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Edward Vielmetti (Jan 24)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Dennis McHenry (Jan 25)
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Sverre H. Huseby (Jan 25)
- <Possible follow-ups>
- Re: Upload of "pipes.scr" attempted to NetBus "honeypot" Brooke, O'neil (EXP) (Jan 25)